Hello folks! I have this PF config (for whom could not see Web things, this config is also at the end of the message):
http://pastebin.com/KZgzRJ6B running well in OpenBSD 5.3 over a Core i5 Ivy Bridge, 16GB of RAM, 120GB SSD, one 3Com 10/100 (driver xl), two Agere (driver et) 10/100/1000, one Atthansic (alc) on-board Gigabit, and one Quad Port Intel (em). All things going fine! :) - but there is Akamai... My needs are: put through an internet emergencial link all Akamai CDN traffic (and all the like we can track). This link is an ADSL, not so reliable as our other two links (2x10Mbps, opticals, symmetric). And is not intended to do routing for us, so I can not just drop my packets as src:187.72.K.L over that ISP's line and expect them coming back through it. In other words, there is no RIPv2 as we have in the other links. So my thought was: why not do NAT through this emergencial link? Put a lot of known IPs from Akamai and their friends in a PF table, and every packet with destiny to any IP from that table go through this emergencial link. How can I solve this? Our two best links are from one ISP, this emergencial is from another. Thank you all for the spent time! An as promised, the configuration (sorry about formatation, I dunno how GMail will treat this): RFC1918 = "{ 172.16/12, 192.168/16, 10/8, 127/8 }" INT_NET = "{ internal real IPs }" ext_if_1 = "em0" ext_gw_1 = "187.72.A.X" ext_ip_1 = "187.72.A.Y" ext_if_2 = "em1" ext_gw_2 = "187.72.B.X" ext_ip_2 = "187.72.B.Y" ext_if_3 = "alc0" ext_gw_3 = "187.72.C.X" ext_ip_3 = "187.72.C.Y" int_if_1 = "em2" int_gw_1 = "187.72.D.X" int_ip_1 = "187.72.D.Y" squid_master_if = "em3" squid_master_gw = "187.72.E.X" squid_master_ip = "187.72.E.Y" #all_ifs = "{ $ext_if_1, $ext_if_2, $ext_if_3, $int_if_1, $squid_master_if }" # increase default state limit from 10'000 states on busy systems set limit states 6304000 set limit tables 5000 set limit src-nodes 200000 set limit frags 3000 set optimization normal set state-defaults pflow, no-sync set skip on lo #block private nets block in log quick on { \ $ext_if_1, \ $ext_if_2, \ $ext_if_3, \ $squid_master_if, \ $int_if_1 } from $RFC1918 label "blocking RFC1918" # test nat-to IP_REAL -> IP_REAL: pass in on $int_if_1 from 187.72.W.A route-to pppoe0 # can these... pass out quick on pppoe0 from 187.72.W.A nat-to (pppoe0) # two rules work? there is a way? #pass on lo0 all flags S/SA pass all flags any allow-opts # establish keep-state # route to squid_master pass in quick on $int_if_1 proto tcp from { $INT_NET, $int_gw_1 } to port http \ route-to ($squid_master_if $squid_master_gw) pass in quick on $ext_if_1 proto tcp from port http to { $INT_NET, $int_gw_1 } \ route-to ($squid_master_if $squid_master_gw) pass in quick on $ext_if_2 proto tcp from port http to { $INT_NET, $int_gw_1 } \ route-to ($squid_master_if $squid_master_gw) pass in quick on $ext_if_3 proto tcp from port http to { $INT_NET, $int_gw_1 } \ route-to ($squid_master_if $squid_master_gw) # route from squid_master pass in quick on $squid_master_if proto tcp from { $INT_NET, $int_gw_1 } to \ port http route-to \ { \ ($ext_if_1 $ext_gw_1) weight 1, \ ($ext_if_2 $ext_gw_2) weight 50 \ } least-states label "cahce outbound balancing" pass in quick on $squid_master_if proto tcp from port http to { $INT_NET, $int_gw_1 } route-to ($int_if_1 $int_gw_1) # let traffic in! #pass in quick on $int_if_1 from { $INT_NET, $int_gw_1 } to {\ #$ext_if_1:network, \ #$ext_if_2:network, \ #$ext_if_3:network, \ #$squid_master_if:network } pass in quick to { \ $ext_if_1:network, \ $ext_if_2:network, \ $ext_if_3:network, \ $squid_master_if:network } label "passing in to myself nets" # outbound balancing pass in quick on $int_if_1 from $int_gw_1 route-to \ { \ ($ext_if_1 $ext_gw_1) weight 1, \ ($ext_if_2 $ext_gw_2) weight 10 \ } least-states label "outbound balancing NATed" pass in quick on $int_if_1 from $INT_NET route-to \ { \ ($ext_if_1 $ext_gw_1) weight 10, \ ($ext_if_2 $ext_gw_2) weight 1 \ } least-states label "outbound balancing all but NATed" #pass in quick on $int_if_1 from $int_gw_1 route-to ($ext_if_2 $ext_gw_2) \ # label "outbinding NATed to the best link" # symetric routing? may be not... ask someone else pass out on $ext_if_1 from $ext_if_2 route-to ($ext_if_2 $ext_gw_2) pass out on $ext_if_1 from $ext_if_3 route-to ($ext_if_3 $ext_gw_3) pass out on $ext_if_2 from $ext_if_1 route-to ($ext_if_1 $ext_gw_1) pass out on $ext_if_2 from $ext_if_3 route-to ($ext_if_3 $ext_gw_3) pass out on $ext_if_3 from $ext_if_1 route-to ($ext_if_1 $ext_gw_1) pass out on $ext_if_3 from $ext_if_2 route-to ($ext_if_2 $ext_gw_2)
